Network and Communications Management
Transcript of Network and Communications Management
Honeymoon Holidays Course Title:
Business Information Systems with Cloud Computing
Lecturer Name:
Brian Hickey
Module/Subject Title:
B8IT045 – Network & Communications Management
Assignment Title:
Honeymoon Holidays Co. Case Study
Number of words
5,474 (Excluding TOC, Exec. Summary, Conclusion & Bibliography)
NETWORK ASSESSMENT AND DESIGN
APRIL 2016
DUBLIN BUSINESS SCHOOL
www.dbs.ie
CONTENTS
Figures and Diagrams......................................................................................................................2
Executive Summary.........................................................................................................................4
Current Organizational Structure.....................................................................................................5
Current Systems Review & network design....................................................................................6
Current System Architecture...........................................................................................................8
1. Hardware...........................................................................................................................8
2. Software............................................................................................................................8
Proposed Network and Systems Overview......................................................................................9
Business Case for Updating the Network and Systems...............................................................9
High Level Network Design (see attached visio diagram for detailed layout)..............................10
System Architecture.......................................................................................................................10
1. Hardware.........................................................................................................................10
Communications............................................................................................................................14
Routers...........................................................................................................................................15
Switches.........................................................................................................................................15
Cabling...........................................................................................................................................16
Software.........................................................................................................................................17
Desktop and Office........................................................................................................................18
Detailed Network Design..............................................................................................................20
Local Area Network...................................................................................................................20
1. Dublin..............................................................................................................................20
Cork...............................................................................................................................................26
Premium Travel..........................................................................................................................26
Wide Area Network....................................................................................................................28
1. Inter-Office Communications.........................................................................................28
OSI Model..................................................................................................................................29
Data Transfer..............................................................................................................................31
Security..........................................................................................................................................33
1. Provided Measures..........................................................................................................33
2. Further Considerations....................................................................................................34
Proposed Wireless plan..................................................................................................................35
Wireless AP................................................................................................................................35
Indoor Enterprise WLAN Deployment......................................................................................35
Planning Wi-Fi layout..............................................................................................................37
Implementation..............................................................................................................................40
Rollout Phases............................................................................................................................40
Risk management...........................................................................................................................41
CONCLUSION..............................................................................................................................44
APPENDICES...............................................................................................................................45
Appendix 1 – Vendor Selection.................................................................................................45
Airwatch for mobile security......................................................................................................50
Appendix 2 – Hardware Selection..............................................................................................52
Appendix 3 – Software Selection...............................................................................................54
Appendix 4 – Business Requirements........................................................................................56
Appendix 5 - Star Network explanation.....................................................................................59
Appendix 6 – Costing.................................................................................................................60
Bibliography..................................................................................................................................61
FIGURES AND DIAGRAMS
1 Current HR structure for Honeymoon Holidays...........................................................................6
2 Existing IT Infrastructure.............................................................................................................7
3 Proposed Network Layout..........................................................................................................11
4 StoreFront Web API - Citrix Logon...........................................................................................13
5 Citrix logon screen presented to user..........................................................................................14
6 VLAN pruning............................................................................................................................17
7 Proposed VLAN layout..............................................................................................................18
8 Network for Accounts Department.............................................................................................21
9 VLAN layout for HR & Management Dublin............................................................................22
10 VLAN layout for Sales team Dublin........................................................................................22
11 VLAN layout for Administration Dublin.................................................................................24
12 Access Switch MVRP Client....................................................................................................25
13 Access Switch MVRP Client....................................................................................................25
14 VLAN layout Cork Office, Switch 9........................................................................................27
15 VLAN layout Cork Office, Switch 10......................................................................................27
16 Printer Scanner Copier, Cork office.........................................................................................28
17 QoS Strategy.............................................................................................................................30
18 OS1 Layer model......................................................................................................................31
19 OSI 7 layers..............................................................................................................................32
20 Data flow through the OSI model.............................................................................................32
21 Data Encapsulation...................................................................................................................33
22 FortiAP Wireless AP................................................................................................................37
23 Channel Reuse for 2.5GHz band..............................................................................................38
24 Typical Wireless AP layout with Channels..............................................................................39
25 Multiple Access Points (roaming enabled)...............................................................................40
26 Risk Analysis 1.........................................................................................................................42
27 Potential Risks for Honeymoon Holidays................................................................................43
28 Recommended Risk Control for Honeymoon Holidays...........................................................44
EXECUTIVE SUMMARY
Honeymoon Holidays proposes to upgrade its ‘IT Infrastructure’ by adding significant functionality, incorporating complete review on how it does business today and new proposals for future business needs and expansion. The proposal is to include a complete overview of the current IT infrastructure in the Dublin and Cork offices including small satellite sites. The current IT infrastructure in the Dublin and Cork offices is disjointed in design (no coherent network between departments) preventing effective sharing of documentation, ideas, communication and efficiency.
The proposed upgrade is to provide on-premises servers (including backup), laptops, mobile phones and printers all running seamlessly over a purpose built network using Fortis routers/switches which utilize the latest security concepts. Email infrastructure, office documentation and VoIP will be a cloud based solution running on MS Azure platform. All offices and employees will be network enabled, allowing them instant and reliable access to databases, applications, business reports and ease of access to flight/hotel bookings menus.
All of the existing user hardware is outdated and will be replaced by laptops, tablets and mobile phones where applicable. To reduce cost, the front desk of Sales, Administration, HR and Trainees will be serviced by dumb terminals running secure Citrix XenDesktop for login. The secure login will allow managed access to pertinent applications which can be easily secured by Microsoft (active directory) and Citrix security policies.
HR, Accounts, Sales and Administration will run Sage Business software. Office 365, email server 2016 and Skype for Business will be deployed and made available on site and mobile phones. Sales personnel will have access to the network 24/7 either by logging in at the office or remote via mobile phone over secure Securid authentication.
The Fortinet devices that are recommended are future proof for expansion within Honeymoon Holiday. Both Fortigate model 100D and 90D allows Dublin and Cork offices to double in size. As Fortinet is an all in one device box allows for future requirements such as SOC (Security Operating Center), Database Security, LAN, Mobile, Cloud SAAS and remote users. Fortinet also is the only provider that allow for trade in of old equipment that is at end of life and trade up on devices, as well as the more you add on the cheaper it becomes.
CURRENT ORGANIZATIONAL STRUCTURE
1 Current HR structure for Honeymoon Holidays
CURRENT SYSTEMS REVIEW & NETWORK DESIGN
2 Existing IT Infrastructure
Currently Honeymoon Holidays System are not communicating with each other which is resulting in disconnection between each department as there is no internal communications.
The MD is currently using usb/cd to transfer file which is not an effective or secure method.
HR is still paper based which mean there is no backup of files should a fire or other disaster occur.
Sales department have to contact the office at 5:30 each day to get updates on pricing which is not effective as there are no real time updates.
There is no direct overview of Cork offices.
Accounts have no view of Sales, HR or Admin and not shared folder to see anything from Finance.
CURRENT SYSTEM ARCHITECTURE
1. HARDWARE
Client-server with MS Workgroup is deprecated.
UNIX mini-computer is not fit for purpose based on the company’s requirements.
Desktops are dated and in need of replacement.
No details on telephony, assume standard phones.
Routers, some presence, likely dated ISDN modem/router
Switches, some presence, likely dated and in need of replacement
Cabling, some presence, likely dated and in need of replacement
Internet, outdated 1 line and 4 line ISDN connections
2. SOFTWARE
There is no security software in place to note
Known desktop software is out of support, dated and in need of replacement across the board.
PROPOSED NETWORK AND SYSTEMS OVERVIEW
BUSINESS CASE FOR UPDATING THE NETWORK AND SYSTEMS
Pros: In modern day of sharing and exchanging information quickly and instantly, it is imperative that spread out organization (business with multi locations) have a well-connected office network. This can only be achieved by making sure these locations are connected (networked).
By networking all location and systems they will be able to feed or report and collection information which will support the success of the business and delivery of projects.
The extensive availability and economies of scale of SAAS, PAAS and IAAS solutions means it is more important than ever that all staff are connected, to each other, and to the internet.
A key benefit is on long term reduction of Total Cost of Ownership (TCO) of IT for the business, the use of thin client end-user desktops running Virtual Desktop Images is a good example of this giving economies of scale and reducing the need for expensive replacements of physical hardware on such an ongoing basis. Ultimately, this could also be a candidate for cloud hosting but at present our recommendation is local servers for Citrix and AD to ensure users always have basic services and data available from their own offices.
Customer expectations in modern times is for a seamless, simple experience regardless of the channel through which you are engaging with business, on this front it is imperative that Honeymoon holidays has a simple, consistent approach to the services they provide. To achieve this, they must have all satellite offices, Cork offices and “on-the-road” salespeople with access to the same services available at their Dublin main office or hosted in the cloud through their third party providers. Our network architecture below achieves this, putting the customer first in ensuring quality delivery of simple services.
Cons: As with any implementation of the above there is a cost involved. First is hiring the experts to implement it, then the capital to buy the hardware and then the running cost of ISP & VOIP telephony. We can expect that there will be a need for ongoing IT support for the new systems on top of the capital costs, and annual support and maintenance costs from the various vendors. However, the risks of doing nothing will not allow the business to continue being competitive when consumers have so many choices available to them to make holiday bookings in the comfort of their own home, with quality after-service available.
HIGH LEVEL NETWORK DESIGN (SEE ATTACHED VISIO DIAGRAM FOR DETAILED LAYOUT)
3 Proposed Network Layout
SYSTEM ARCHITECTURE
1. HARDWARE
SERVERS
The servers are Dell PowerEdge 13G R630 Rack Server running Windows Server 2012
DESKTOPS
Easy to use, common interface allows employee access to apps in Office and remote using “CitrixReceive”. CitrixReceive connects to TCP port 443, and communicates with StoreFront using via the StoreFront Service API (see Citrix Web loon image below). The applications are run on virtual machines managed from the central Citrixserver providing the security and authentication. The Citrix server is easily maintained, (software/hardware) upgraded and backed up from central source. There is no requirement to deploy software patches, security updates to remote VDIs, employee’s personal computers or BYOD. One of VDI’s main
benefits is that it’s easy to provision new instances and delete them when you’re done with them. This also implies that different separate virtual domains can be easily built on the server allowing even greater security between, sales, accounts, managers and employees. Future expansion is effortless and seamless to implement
With VDI, the data is presented visually and the data traverses the network to the employee device from a remote server. This makes VDI very attractive as a security concept as it reduces the risk of data theft or loss. For some employees, just being able to access their desktop from any location without having to use the same client device (designated desk) every time is a big benefit. Employees moving between work locations can access the same desktop environment with their applications and data.
Citrix XenDesktop offers a stable platform to run MS Office 365 Suite, Windows 10 and integrates seamlessly with MS Active Directory, MS Exchange 2016 and integrated VOIP/Skype for Business (S4B). By using RDSH VDI (XenDesktop) and Exchange operating in cached mode the location of the Exchange server become irrelevant (in this case in the cloud).
The main operations available through this API include:
• Authenticating users through a variety of methods: explicit forms, domain pass-through, smart card, NetScaler Gateway Single Sign-On and post credentials.
• Enumerating applications/desktops.
• Enumerating available HDX sessions.
• Reconnecting, disconnecting and logging off HDX sessions.
• Launching applications/desktops.
• Powering off specific VDI desktops.
• Retrieving images and icons for applications/desktops.
• Subscribing to applications.
StoreFront Web API for secure login over Citrix
Receiver for Web is a component of Citrix StoreFront providing access to applications and desktops using a Web browser over HTTPS, SSL2.0 and or TLS. It comprises a User Interface tier and a StoreFront Services Web Proxy tier. This architecture is illustrated below.
4 StoreFront Web API - Citrix Logon
CitrixReceiver configuration
The Web Proxy tier is a bridge between the UI tier and the StoreFront Services (namely the Authentication Service and the Store Service). It provides a simplified API suitable for consumption by a JavaScript/Ajax client running in a Web browser. HTTPS protocols is used to secure data passing between server and StoreFront. HTTPS uses SSL and TLS providing strong data encryption. However since StoreFront requires IIS to communicate effectively with Active Directory it is advisable that the SSL 2.0 provided by IIS is used.
5 Citrix logon screen presented to user
ROUTERS
We are recommending Juniper routers to fit in with the switch selections and ensure all relevant protocols are supported across the network.
The MX series routers are affordable and provide the below requirements: VPLS – Virtual Private LAN interface. MPLS Label-Switched Path and Fast Reroute. Bidirectional Forwarding Detection. Hierarchical QoS. Pay-as-you-grow capacity upgrades available.
SWITCHES
We are recommending Juniper switches that support the MVRP Layer 2 protocol, allowing VLAN to VLAN traffic using the IEEE 802.1ak standard. This does not encapsulate frames, but inserts a tag and computes a new frame check sequence at the end of the frame. “Trunk Ports” are used between the Layer 2 Access Switches and Layer 3 Distribution Switches, using MVRP, the Trunk Ports are automatically provisioned based on which VLANs have devices connected to each of the access switches. This is a benefit to the network performance overall by avoiding the distribution of unwanted traffic from the distribution switches.
6 VLAN pruning
(YouTube, 2016)
All switches must also support the required Power over Ethernet (POE) and dual power supplies.
CABLINGWe would recommend CAT6 specification as it is suitable for up to 10 gigabit Ethernet at 250 MHz and would future-proof the network. CAT6 has internal separator that isolates pairs from one another which means it is much better at keeping crosstalk compared to CAT5 and CAT5e. We would highly recommend using the STAR topology as this will centralized management of the network, through the use of the central switch. It also easier to add another computer to the network and If one computer on the network fails, the rest of the network continues to function normally.Network solutions offer installation and config at low rate and highly recommend. (Appendix 3)
2. COMMUNICATIONS
Email, VOIP and Desktop applications.
The recommended employee interfacing services is Office 365 Business (SaaS service), Exchange Server 2016 and Skype for Business. These services can be provided by Microsoft Azure and are managed centrally by Microsoft. Email will become the communication medium of choice within the business. With Exchange and Office 365 in the cloud enhances document sharing, and eliminates version control of documents. The background maintenance and product updates are managed centrally by the hosting provider eliminating the need for on site dedicated IT support. Also provided is Data Loss Prevention, Managed Availability, Automatic recovery from storage failures and web-based Exchange admin center for managing user accounts and security (managed either internally or externally).
Skype for Business
Office 365 Business Enterprise customers can avail of S4B for the following,
Skype Meeting Broadcast – enabling meetings over the internet (10,000 connections max).
PSTN Conferencing (invite people to join meetings via landline or mobile phones).
Free calls and meetings within the business.
Integrated IM within the business with the option to make available to external clients. Will allow remote chat support to clients querying holiday booking or enquiries.
Skype uses ‘MS Notification Protocol 24’ moving away from peer-to-peer architecture. Protocol specification have not been made publicly available. Included S4B is Video Conferencing and Instant Messaging where messages are easily shared with a single or multiple users of the service. Group meetings and sharing of information can be easily performed with the need for users to leave their desks and enter a meeting room.
We would recommend EIR as they are a gold CISCO house for many years and have the best experience in the industry to deploy VOIP solution (https://business.eir.ie/sipvoice).
The SIP-enabled IP PBX provides the telephony infrastructure inside the business and replaces PBX server. This allows you to rapidly scale to cope with temporary or seasonal demand.
SIP voice ultimately cost less for voice service and secure the added benefit of resilience. It is a unified communications and collaboration services, allowing voice and video to traverse IP networks, although bandwidth and quality of service must be carefully managed to protect application performance.
Important considerations in choosing a cloud VOIP provider are for:
Quality of Codecs: Sound quality of the audio communication and also the bandwidth being used.
Quality of Service (QOS): Must have low latency and sufficient bandwidth for successful VOIP setup.
3. VLANS
We are recommending segregating the internal network to four separate subnets as below:
VLAN VLAN Name Subnet Mask Network Add. Broadcast Add. Total HostsVLAN 1 Users 255.255.252.0 10.1.0.0 10.1.63.255 1,022VLAN 2 VOIP 255.255.252.0 10.200.0.0 10.200.63.255 1,022VLAN 3 Devices 255.255.255.0 192.168.1.0 192.168.1.255 254VLAN 4 Servers 255.255.255.240 192.168.2.0 192.168.2.15 14
7 Proposed VLAN layout
VLAN 1 which will be for the users, covering all XenDesktop thin client connections, all laptops and all mobile access, and which is a /22 network to allow growth in hosts connections particularly as users utilize more devices (thin client desktop, laptop, tablet, phone).
VLAN 2 which will be for the VOIP real-time audio communications, again a /22 network with plenty of capacity for growth.
VLAN 3 which will be for all network attached devices such as printers, scanners etc. This will be a /24 network as there is much lower capacity requirements and less growth expected.
VLAN 4 which will be for the servers, this is a /28 network with only 14 hosts to act as a simple first measure of security for the servers by reducing the number of potential IPs in the same VLAN.
4. FIREWALL, VPN, AV AND WEB FILTER - FORTINET
We are recommending the use of an all-in-one hardware solution from Fortinet for addressing these needs.
Travel industry has much cyber threats due to the nature of the online booking business. With the EU data protection rule that’s came in place this year client information must be protected as a priority as 1 breach could possibly bankrupt a business. Part of any business day to day operation is data retention, data center, financial information, credit card information, names, address and passport information, flight details, identify theft, ensuring payment industry standard compliance (PCI) of clients.
Traditionally SME would run multiple systems, complicated mix and match units and support service many vendors, alerts, and ways of managing each device: leading to an unmanageable infrastructure where gaps can be difficult to find.
5. SOFTWARE
DESKTOP AND OFFICE
Citrix XenDesktop
We are recommending a Thin Client Architecture as detailed above which will run the Citrix XenDesktop Software. The provided VDIs will run Windows X, to ensure the latest support and security patches are available from Microsoft.
Office 365
For enabling the office to communicate effectively and produce quality documentation:
- Microsoft Office Suite.
HRMS
We are recommending the purchasing of a new HR Management System to satisfy the HR Software Requirements. For this, we are recommending the use of Sage Software’s “Sage HR”. This allows storing of employee data in one place and integrates with the Sage Payroll solution.
PAYROLL
We are recommending the purchasing of a new Payroll System to satisfy the HR and Accounts Payroll Software Requirements. For this, we are recommending the use of Sage Software’s “Micropay Professional”. This allows uploading of timesheets, shares common employee data with Sage HR and integrates with the firms Accounting Software. (Shop.sage.ie, 2016)
CRM
Again, for the CRM software, to maintain the standardized software offerings, consistent look and feel and sharing of common data we are recommending Sage’s “CRM Cloud Professional”. (Shop.sage.ie, 2016)
PAYMENTS
It will be critical for the fully networked and new online presence of Honeymoon Holidays that they can securely accept payments online and over the phone. To facilitate this, we are recommending the use of “Sage Pay Online Payments”. This will be available for the Sales staff on mobile, tablet and laptops and also to the administration staff and via the new company website (Sage.ie, 2016)
ACCOUNTS
There is a requirement to replace the outdated accounting system and in keeping with the entire Sage suite and the integration benefits that it brings, we are recommending the use of “Sage 50 Accounts Professional”. (Sage.ie, 2016). This also meets the requirement of integration with the company’s banking provider.
6. COMPANY WEBSITE
With the new infrastructure rollout and approach to business it is strongly advised that a website be provided for internal use and external clients. Website to follow name of company www.honeymoonholidays.com. The domain name should be registered online with any readily available company letshost.ie, register365.ie, blackknight.ie for a small cost of approx. 20 per month. The website should be hosted in MS Azure Business platform (IaaS and PaaS). With the PaaS model, Azure can be used as a development service hosting and management thus allowing the company full autonomy to design a website which allows a full intranet and internet service. Azure offers various purchase options,
Pay-As-You-Go subscription, recommended option.No minimum purchase or commitments and ability to cancel at any time.
DETAILED NETWORK DESIGN
LOCAL AREA NETWORK
1. DUBLIN
NETWORK DESIGN AND LAYOUT
Accounts Team, First Floor, Dublin
8 Network for Accounts Department
There will be 7 VOIP phones which are setup on the “VOIP - VLAN 2”, and which will be connected to either Access Switch 1, or Access Switch 2 via powered Ethernet as per the above diagram. The VOIP phones will provide an Ethernet pass-through for the connected thin-client terminals. There is capacity for further growth on each switch.
Desktops: Users VLAN 1
Network Address: 10.1.0.0/22
Broadcast Address: 10.1.3.255
Subnet Mask: 255.255.252.0
Phones: VOIP VLAN 2
Network Address: 10.200.0.0/22
Broadcast Address: 10.200.3.255
Subnet Mask: 255.255.252.0
HR & Management, First Floor, Dublin
9 VLAN layout for HR & Management Dublin
There will be 5 VOIP phones which are setup on the “VOIP - VLAN 2”, and which will be connected to either Access Switch 3, or Access Switch 4 via powered Ethernet as per the above diagram. The VOIP phones will provide an Ethernet pass-through for the connected thin-client terminals. There is capacity for further growth on each switch.
Desktops: Users VLAN 1
Network Address: 10.1.0.0/22
Broadcast Address: 10.1.3.255
Subnet Mask: 255.255.252.0
Phones: VOIP VLAN 2
Network Address: 10.200.0.0/22
Broadcast Address: 10.200.3.255
Subnet Mask: 255.255.252.0
Sales, Ground Floor, Dublin
10 VLAN layout for Sales team Dublin
There will be 9 VOIP phones which are setup on the “VOIP - VLAN 2”, and which will be connected to either Access Switch 5, or Access Switch 6 via powered Ethernet as per the above diagram. The VOIP phones will provide an Ethernet pass-through for the connected thin-client terminals and laptop LAN cables when required at the desk. There is capacity for further growth on each switch.
Sales tablets and mobile devices can access the Wireless network as needed (See Proposed Wireless Plan).
Desktops: Users VLAN 1
Network Address: 10.1.0.0/22
Broadcast Address: 10.1.3.255
Subnet Mask: 255.255.252.0
Phones: VOIP VLAN 2
Network Address: 10.200.0.0/22
Broadcast Address: 10.200.3.255
Subnet Mask: 255.255.252.0
Administration, Ground Floor Dublin
11 VLAN layout for Administration Dublin
There will be 7 VOIP phones which are setup on the “VOIP - VLAN 2”, and which will be connected to either Access Switch 7, or Access Switch 8 via powered Ethernet as per the above diagram. The VOIP phones will provide an Ethernet pass-through for the connected thin-client terminals. There is capacity for further growth on each switch.
Desktops: Users VLAN 1
Network Address: 10.1.0.0/22
Broadcast Address: 10.1.3.255
Subnet Mask: 255.255.252.0
Phones: VOIP VLAN 2
Network Address: 10.200.0.0/22
Broadcast Address: 10.200.3.255
Subnet Mask: 255.255.252.0
Devices and Meeting Room
12 Access Switch MVRP Client
13 Access Switch MVRP Client
Devices will be connected to the “Devices - VLAN 3, along with the PolyCon equipment present in the first floor meeting area. These are connected to Access Switch 2 and Access Switch 8 respectively, where there is still further room for growth.
Devices VLAN 3
Network Address: 192.168.1.0/24
Broadcast Address: 192.168.1.255
Subnet Mask: 255.255.255.0
2. CORK PREMIUM TRAVEL
14 VLAN layout Cork Office, Switch 9
15 VLAN layout Cork Office, Switch 10
There will be 10 VOIP phones which are setup on the “VOIP - VLAN 2”, and which will be connected to either Access Switch 9, or Access Switch 10 via powered Ethernet as per the above diagram. The VOIP phones will provide an Ethernet pass-through for the laptops when being used at the desks. Laptops also have connectivity to the buildings WAP (See Proposed Wireless Plan. The recommendation for laptops here is purely on the basis that these staff may be also acting as “on-the-road” sales staff. It will be at the company’s discretion whether laptops, or additional thin client desktops would be the preference here.
There is capacity for further growth on each switch.
Desktops: Users VLAN 1
Network Address: 10.1.0.0/22
Broadcast Address: 10.1.3.255
Subnet Mask: 255.255.252.0
Phones: VOIP VLAN 2
Network Address: 10.200.0.0/22
Broadcast Address: 10.200.3.255
Subnet Mask: 255.255.252.0
16 Printer Scanner Copier, Cork office
A single MFD will be connected to the “Devices - VLAN 3. These are connected to Access Switch 2 and Access Switch 8 respectively, where there is still further room for growth or addition of another polycom device.
Devices VLAN 3
Network Address: 192.168.1.0/24
Broadcast Address: 192.168.1.255
Subnet Mask: 255.255.255.0
3. SERVER ROOMS
Server rooms will consist of three servers, one router and a firewall per site along with hosting the distribution switches (to be assessed on further inspection of the premises). This network is kept to a small range of IP addressing to act as a basic first line of security against potential breaches, there is still allowed sufficient room for growth if required.
Servers VLAN 4:
Network Address: 192.168.2.0/28
Broadcast Address: 192.168.2.15
Subnet Mask: 255.255.255.240
WIDE AREA NETWORK
1. INTER-OFFICE COMMUNICATIONS
For inter-office communication you require that each site/office has internet connection via its local ISP.
Each site's connection bandwidth to Internet depends on amount of data traffic and frequency of it between offices/sites.
Each site will require a router as point of inbound/outbound traffic, a firewall will be required to protect the LAN network from malicious attacks, all inbound/outbound traffic will be filtered through it. To establish inter-office virtual private network will be set up on each firewall to allow transparent data traffic between offices/sites.
Firewalls also provide tools to setup access lists through which specific traffic is allowed or denied in/out of each office.
In effect the above scheme establishes Honeymoon Travel’s Wide Area Network (WAN).
For the ISPs it is vital that the business internet provides Multiprotocol Label Switching (MPLS). MPLS is effective at layer 2.5 of the OSI model, with a header added to the layer 2 frame. It allows for tunneling across the ISP from one site to another, effectively extending the LAN. It is a one-to-many connection, which with two or more offices is not dependent on a single “central” office. The extension of the LAN over the ISP network is important on two fronts:
1. Simplicity: The devices on each site, in each VLAN are effectively local making the overall network easier to manage.
2. Quality of Service: QoS considerations are paramount when an organization is using real time audio communication with VOIP phones. It is far more important that there are no dropped packets with this type of traffic, and MPLS allows for extension of QoS over the ISPs network to give voice traffic priority over data traffic. More broadly speaking, this allows for differentiated services:
- Classify traffic- Mark traffic- Congestion Management (queuing)- Congestion Avoidance - Traffic Conditioning
- Traffic Policing- Traffic Shaping
Internal QoS classifications can be mapped to the ISPs classifications and vice versa:
17 QoS Strategy
(YouTube, 2016)
OSI MODEL
18 OS1 Layer model
(Blog.buildingautomationmonthly.com, 2016)
Relate to Honeymoon Holidays:
Layer Description Description2 Honeymoon Holidays
Applications leveraging HTTP:
- Citrix, Offi ce 365, Sage etc.
6 PresentationSpecial processing required by applications, such as translation and encryption
May be leveraged by Fortinet, or other uses of e.g SSL
5 Session Logical linking of software application processes Any software leveraging APIs
4 TransportLink between application layers and lower 'concrete' layers
TCP/IP, UDP
3 Network Defines how interconnected networks function VLANs, Dist Switches
2 Data Link LAN Technologies Ethernet, 802.11
1 Physical LayerHardware Specs, encoding, data transmisson and reception
Physical equipment, topologies
7 ApplicationFunctions performed by users to complete various tasks over the network.
OSI 7 Layers
19 OSI 7 layers
DATA TRANSFER
Application data will traverse the new network topology as described below through encapsulation and decapsulation.
Host A Host B7 Application Data Data Application6 Presentation Data Data Presentation5 Session Data Data Session4 Transport TCP Data TCP Data Transport3 Network IP TCP Data IP TCP Data Network2 Data Link Ethernet IP TCP Data Etherenet IP TCP Data Data Link1 Physical Physical
<----------------------------------------------- Network -------------------------------------------------->
--------------------->------>> --------------------->------>>
Example of a user sending an e-mail via the Offi ce 365 cloud service,
11010101110101101110000111000001111110101
Enca
psul
ation
Deca
psul
ation
20 Data flow through the OSI model.
For our networks using IPSec for the VPN and MVPN, the following type of additional encapsulation would be present, with MVRP information present in the Ethernet header 802.1Q tag.
The MPLS Label allows for the extension off QoS over the ISPs network, and ensures that the key traffic such as voice data identified by Honeymoon Holidays gets maintains a base quality, with data traffic, which can afford to be slower being less of a priority (see section on Quality of Service).
21 Data Encapsulation
SECURITY
1. PROVIDED MEASURESIn order to apply protection against these real threats to a business and minimize potential breach for any organization you will need to ensure you have the following:
Firewall- The Service is based on Fortinet’s award winning range of Next Generation
Firewall (NGFW) and Unified Threat Management (UTM) appliances which provide a range of firewall, VPN, intrusion prevention (IPS), antimalware and web filtering capabilities.
- The firewall service provides organizations with a firewall optimized and configured for their environment. Fortinet is the provider of ICSA, EAL4+ & NSS* certified UTM solutions, powered by a custom designed ASIC chip for real-time content processing and network protection.
- Firewalls are delivered with the full UTM subscription which provides a range of firewall, VPN, IPS, antimalware and web filtering capabilities. Once the firewall in installed and configured ongoing configuration, maintenance and support is delivered by our SOC staff that monitors the environment on a 24x7 basis.
Anti-Virus- Real-time protection against the installation of malicious software
VPN- SSL VPN establishes an encrypted link, ensuring that all data passed between the
web server and the browser remains private and secure.
Web filtering- Combines sophisticated filtering capabilities together with a powerful policy
engine and cloud-based model to create a high performance and flexible web content filtering solution
Anti-Spam- Antispam detection capabilities provide greater protection than standard real-time
blacklists.
Intrusion protection- monitor, log, identify and block malicious network activity
Data loss prevention
- Sophisticated pattern matching to prevent unauthorized communication of sensitive or regulated data through the corporate perimeter.
-Fortinet solutions allow easy manage of all components under one roof. Using Fortinet has a comprehensive security infrastructure from the VM service or endpoint and a complete solution where you deliver more control, greater visibility and less complexity.
Fortinet offer a firewall device that can offer all these protection in one box and we would highly recommend Fortinet solution. See appendix for description for all solutions belowBy enabling this configuration this will allow for greater protection and compliance for Honeymoon Holidays as current system have many vulnerabilities. Within the control we can also implement an internet proxy client within the domain controller to manage what internal team have access to and was a concern from the finance manager. This will provide him with better control and visibility over files and access to each team member and department.
2. FURTHER CONSIDERATIONSWith the access to VPN both the CEO and finance manager will be able to work remotely by logging in via vpn and have secure access to share drives without having to use usb connection. This will also allow the sales team to log in remoting while out of the road instead of calling in each evening to get pricing and allow for “REAL-TIME” updates on pricing.
Within the network we will also need to separate out the printer, scanners, wireless controller and AP on different VLans to ensure control as the account team and HR department must have greater security as they would hold account and admin sensitive details.
As retail shops will have their own devices and their own Wi-Fi access. We will issue vpn soft-tokens to them and they can securely update your customer information and sales as appropriate.
PROPOSED WIRELESS PLAN
We propose a wireless network to enable BYOD, business tablets and ability of users to hot seat within the business. There two basic types of wireless deployments, coverage and capacity. The goal is to provide a good quality of service (QOS) in as much area as possible with a single or multiple access points.
In coverage the number of access points (Aps) is determined by signal strength which in turn is determined by type of site, floor layout, construction materials, number of floors, physical obstructions etc.
With capacity the objective is to provide a good quality of wireless service to enable the business to efficiently use their devices. Factors that determine QOS are, number of users covered by single AP, number of Wi-Fi devices per person, percentage of users that are expected to be active, type of applications being used, etc.
WIRELESS AP
FortiAP are thin access points, delivering secure, identity-driven Wi-Fi access for an enterprise network, managed centrally by the integrated WLAN controller of any FortiGate security appliance. With the integration of the wireless controller functionality into the market leading FortiGate appliance, Fortinet delivers a true Unified Access Layer. This enables you to easily manage wired and wireless security from a Single Pane of Glass management console and protects your network from the latest security threats.
INDOOR ENTERPRISE WLAN DEPLOYMENT
Office Wi-Fi provides convenient way for hot desking without the need for extra cabling in each office. It also provides Internet access to mobile and tablet devices as well as visiting clients.
Users can take laptops into meetings and connect via office Wi-Fi eliminating need for extra cabling connections in boardroom or other meeting rooms.
APs are low cost devices and require very little in terms of management and maintenance once setup.
To implement office Wi-Fi HMT need a Wi-Fi controller that is connected to office LAN. Using Wi-Fi controller application we can setup wireless access point (WAP) at appropriate locations in the office.
For ease of administration and maintenance all offices is given same identifiable universal HMT-Wi-Fi name and SSID.
To protect company LAN from visiting clients separate Wi-Fi VLAN can be setup that only allows Internet traffic, that way a visiting person connected to company Wi-Fi cannot access internal LAN, data and systems.
22 FortiAP Wireless AP
Highlights
Supports latest 802.11ac technology with association rate of up to 1.3 Gbps. Leverage existing FortiGate or FortiWiFi platforms as controllers for low TCO. Integration with FortiManager and FortiAnalyzer for centralized management and
reporting. Fast Roaming for uninterrupted data access Automatic Radio Resource Provisioning (ARRP) for optimized throughput. Layer 7 application control prioritizes business traffic. Rogue AP detection and mitigation to satisfy PCI DSS compliant
Key Features & Benefits
Advanced Security Protection Wireless LAN security done right, from the leader in network security.
Integrated Firewall, IPS, Application Control, and Web Filtering protect the wireless LAN from the latest security threats.
Integrated WIDS and Rogue AP Suppression Protects the network from advanced wireless threats and satisfies PCI DSS compliance. Deep Application Control Fortinet goes above Wireless Multimedia Extensions (WME)
by offering deep Layer 7 inspection to precisely control applications and bandwidth usage.
“Single Pane of Glass” Management Console Unified management console simplifies operations, ensuring consistent and effective policy enforcement and compliance.
PLANNING WI-FI LAYOUT
Wi-Fi is a shared medium and operates in half-duplex mode. For 802.11x Wi-Fi uses a band plan that breaks up the available spectrums into a groups of non-overlapping channels. How many users should use a single AP depends on the number of users that can be serviced adequately by the AP. To prevent two access points transmitting on the same channel causing device bleed and poor performance (co-channel interference, CCI) effective channel reuse must be employed. CCI can be reduced by the use of non-overlapping channels. Fortis 5Gz channel has more usable channels and throughput than 2.4GHz for Wi-Fi devices. It has 23 non-overlapping channels vs. 3 in the 2.4GHz band. However the 5GHz has shorter range than the 2.5GHz, Older devices may not use the newer 5GHz channels.
23 Channel Reuse for 2.5GHz band
Possible to increase the potential per-user throughput by decreasing the number of users contending for the aggregate throughput provided by a single AP. This can be done by decreasing the size of the coverage area, or adding a second AP on a non-overlapping channel in the same coverage area. To reduce the coverage area, the AP power or antenna gain can be reduced, resulting in fewer clients in that coverage area. This means you need more APs for the same overall area, increasing the cost of deployment.
24 Typical Wireless AP layout with Channels
To enable roaming wireless a single AP is configured as controller which in turn manages multiple Aps that share the same configuration. A feature known as “fast roaming” enables users to move between APs (floors and buildings) without losing signal connectivity and authentication.
25 Multiple Access Points (roaming enabled)
IMPLEMENTATION
ROLLOUT PHASES
Take a phased approach to implementation.
Deliver the core network components first
- Routers- Switches- Firewalls- Cabling
Follow with core main access pieces
- XenDesktop Servers- AD/File system Servers- Thin Client Machines- VOIP ‘Phones’
Users can now access desktops and shared files, have internet access and are protected with reasonable security measures via the multi-purpose firewalls.
Cloud services should be brought in next along with ensuring connectivity to banking platform and airlines and the old ISDN lines and physical machines can start to be decommissioned.
Other core services should be brought in next such as Sage Payroll and Accounts, after which remaining old machines can be decommissioned.
Lastly new value add services should be brought in such as the Sage HRMS and CRM software, new Corporate Website and Pay Online.
As there is disaster recovery in place with servers at each of the two sites, extensive Operational Testing of the equipment including site failovers should be carried out as part of implementation.
RISK MANAGEMENT
The purpose of a risk management for a business is to have a guideline for plan B and to understand what potential threat that could stop operational or create downtime.
In this assessment we need to look at the risks to Honeymoon Holidays sensitive IT systems and data, and protecting the resources that support the business mission.
Risk level
High
Moderate
Low
Effectiveness of Controls
Low Moderate HighHigh Low Low ModerateModerate Low Moderate HighLow Moderate High High
Loss of conidentiality, integrity or availability which could have severe or catastropic effect to the business operations, assets or
individual
Loss of conidentiality, integrity or availability which could have serious effect to the business operations, assets or individual
Loss of conidentiality, integrity or availability which could havelimited or little effect to the business operations, assets or
individual
Risk DescriptionRisk is assess be 3 level
Probability of Threat Occurrence (Natural or Environmental Threats) or Threat Motivation and Capability (Human Threats)
26 Risk Analysis 1
Honeymoon must look at risks to the IT system that may occur such as when vulnerabilities (i.e., flaws or weaknesses) in the IT system or its environment can be exploited by threats (i.e. natural, human, or environmental factors).
Below are potential risks:
Risk Vulnerability Threat Risk of Compromise of Risk Summary
1 Wet-pipe sprinkler system in Honeymoon Holidays Data Center.
Fire Availability of Honeymoon Holidays and data.
Fire would activate sprinkler system causing water damage & compro mising the availability of Honeymoon Holidays
2 Honeymoon Holidays user identifiers (IDs) no longer required are not removed from Honeymoon Holidays in timely manner.
Unauthorized Use
Confidentiality & integrity of Honeymoon Holidays data.
Unauthorized use of unneeded user IDs could compromise confidentiality & integrity of Honeymoon Holidays data.
3 Honeymoon Holidays access privileges are granted on an ad-hoc basis rather than using predefined roles.
Unauthorized Access
Confidentiality & integrity of Honeymoon Holidays data.
Unauthorized access via ad-hoc privileges could compromise of confidentiality & integrity of Honeymoon Holidays data.
5 User names & passwords are in scripts & files.
Malicious Use - cyber crime
Confidentiality & integrity of Honeymoon Holidays data.
Exploitation of passwords in script & files could result in compromise of confidentiality & integrity of Honeymoon Holidays data.
6 Passwords are not set to expire; regular password changes are not enforced.
Malicious Use - cyber crime
Confidentiality & integrity of Honeymoon Holidays data.
Compromise of unexpired/unchanged passwords could result in compromise of confidentiality & integrity of Honeymoon Holidays data.7 Sensitive Honeymoon Holidays data is
stored on USB drivesMalicious Use Confidentiality of
Honeymoon Holidays data.
Loss or theft of USB drives could result in compromise of confidentiality of Honeymoon Holidays data.
4 New patches to correct flaws in application security design have not been applied.
Malicious Use - cyber crime
Confidentiality & integrity of Honeymoon Holidays data.
Exploitation of un-patched application security flaws could compromise confidentiality & integrity of Honeymoon Holidays data.
Potential Risks for Honeymoon Holidays
27 Potential Risks for Honeymoon Holidays
Recommended controls required for Honeymoon Holidays:
Control Area Planned or in-place Description of Controls
IT System & Data Sensitivity ClassificationIT Security Roles & ResponsibilitiesBusiness Impact AnalysisIT System Inventory & DefinitionIT Security AuditsContinuity of Operations Planning IT Disaster Recovery PlanningIT System & Data Backup & RestorationIT System HardeningMalicious Code ProtectionIT Systems Development Life Cycle SecurityAccount ManagementPassword ManagementRemote AccessData Storage Media ProtectionEncryptionFacilities SecurityAccess Determination & ControlIT Security Awareness & TrainingAcceptable UseIncident HandlingThreat Detection Security Monitoring & LoggingIT Asset ControlSoftware License ManagementConfiguration Management & Change Control
Recommended controls required for Honeymoon Holidays
Data Protection Planned
Facilities Security & Personnel
SecurityPlanned
Threat Management &
Security Controls Planned
Risk Management Planned
Contingency Planning
Planned
IT Systems Security Planned
28 Recommended Risk Control for Honeymoon Holidays
CONCLUSION
Honeymoon Holidays as it stands today is not an IT efficient company. With no IT network between departments or offices it wastes time managing the business instead of growing the business to meet the demands of an ever increasing IT literate public. For the company to grow and survive long term improvements in their IT infrastructure is a must have.
The key areas of reform will be the current IT network, communication between various departments while retaining full security of data. The net benefits are ease of access for remote sales and managerial staff. Up to date reports on business profitability and expenditure. Staff management, HR resourcing and accounting via central Sage reporting. Modern interface to flight booking and hotel booking software.
Honeymoon Holidays once it implements all of the above recommendations will have a very strong, secure network infrastructure which will allow it to grow and expand within Ireland.
APPENDICES
APPENDIX 1 – VENDOR SELECTION
FORTINET Best Price/ Performance & Consolidated Security Provides More Signatures for Visibility & Control with Web 2.0 applications Proven Security - Threat Research & Third Party Certifications
Best Price/ Performance network security platform in the market, which provides predictable performance in the real world traffic.
Fortinet ranks #1 in the NSS Labs Firewall 2013 and earned the NSS Labs Recommend for the Firewall, NGFW, and IPS 2013 Tests.
Fortinet continues its 5 year leadership in the Gartner Magic Quadrant for Unified Threat Management, 2013 and in 4 other Gartner Magic Quadrants.
Lowest Total Cost of Ownership and Price/ Protected Mbps according to NSS Labs. Achieved the top score on the Breaking Point / IXIA Resiliency Test with 95.
More Web 2.0 Visibility & Control and Better Centralized Management Easily control on over 2,900 apps Fortinet has a range of FortiManager & FortiAnalyzer to meet the needs of the customers. FortiManager can deploy thousands of new devices, distributed updates, or installing security policies
across managed assets. FortiAnalyzer provides the central security event logging, reporting, forensic research, content
archiving, data mining, and malicious file quarantining.Proven Security - Threat Research & Third Party Certifications
No one comes close to the third party certifications Fortinet has achieved. NSS Labs, ICSA, VB100, and others are a testament on the protection
Vs CiscoCompetitive Matrix & Customer DeploymentWith price/ performance and proven security, Fortinet provides network security for all markets.
Fortinet provides a 10Gig appliance (FortiGate 800C) in the sub $10K price band, whereas the initial 10Gig Cisco ASA appliance is the ASA 5585-X SSP10 at $40K, with non-competitive performance.
Currently, Cisco’s release has a choice of running IPS or next generation firewall (CX), but can’t run both.
Gartner does not view Cisco’s security strategy as messaging effectively in the broader NGFW market”, Gartner MQ Enterprise Firewall, 2013.
Fortinet Crushes Cisco ASA 5500-X/ 5585-X Series in Security Performance, Scalability, & Total Cost of Ownership.• A single Fortinet FortiGate appliance offers more functionality than up to 7 pieces of hardware from Cisco.• With a fraction of the cost, the FortiGate 3600C vs. Cisco ASA 5585-X SSP60 is an example of how Fortinet beats Cisco in price/performance, capacity and over all security.
Benefits Service based on Fortinet’ award winning Next Generation Firewall (NGFW) /
Unified Threat Management (UTM) Complete protection against malware, spyware, spam and intrusion attempts.
Round the clock threat defense from our 24x7 Monitoring from our Security Operations Centre.
On-going firewall maintenance (firmware / patches /upgrades) On-going policy changes and configuration updates by our SO staff as required. Customizable web filtering. Remote VPN access for users for anywhere / any device /any time access. Next Business Day hardware replacement.
Components Fortinet: UTM device Fortinet: UTM subscription 8x5 NBD Enhanced Support
Next Generation Firewall (NGFW) / Unified Threat Management (UTM) device with UTM subscription
FortiGate 60D / 90D / 100D Features Next Generation Firewall Feature Set Network Based AV Antispam Service Web Filtering Service Intrusion Prevention
SSL VPN
VPN and TokensIt secures your users computer internet connection to guarantee that all of the data you're sending and receiving is encrypted and secured as well as a way to bolster your security and access resources on a network you're not physically connected to. The best VPNs offer a solid balance of features, server location, connectivity protocols, and price. Fortinet offers SSL protocols will provide a secure connection.
Two-Factor Authentication & PKI SolutionsFortiToken Strong Authentication Solutions allow you to easily enable Two-factor Authentication for access to protected Networks and Security devices. Two-factor authentication solutions improve security and reduce the risk of compromise inherent in single-factor authentication solutions such as static passwords.
User Identity ManagementFortiAuthenticator extends two-factor authentication capability to multiple FortiGate appliances and to third party solutions that support RADIUS or LDAP authentication. User identity information from FortiAuthenticator combined with authentication information from FortiToken ensures that only authorized individuals are granted access to your organization’s sensitive information. This additional layer of security greatly reduces the possibility of data leaks while helping companies meet audit requirements associated with government and business privacy regulations. FortiAuthenticator supports the widest range of tokens possible to suit your user requirements. With the physical time-based FortiToken 200, FortiToken Mobile (for iOS and Android), e-mail and SMS tokens, FortiAuthenticator has token options for all users and scenarios. Two-factor authentication can be used to control access to applications such as FortiGate management, SSL and IPsec VPN, Wireless Captive Portal login and third-party, RADIUS compliant networking equipment.
Enterprise Certificate Based VPNsSite-to-site VPNs often provide access direct to the heart of the enterprise network from many remote locations. Often these VPNs are secured simply by a preshared key, which, if compromised, could give access to the whole network. FortiOS support certificate-based VPNs; however, use of certificate secured VPNs has been limited, primarily due to the overhead and complexity introduced by certificate management. FortiAuthenticator removes this overhead involved by streamlining the bulk deployment of certificates for VPN use in a FortiGate environment by cooperating with FortiManager for the configuration and automating the secure certificate delivery via the SCEP protocol. For client-based certificate VPNs, certificates can be created and stored on the FortiToken 300 USB Certificate store. This secure, pin-protected certificate store is compatible with FortiClient and can be used to enhance the security of client VPN connections in conjunction with FortiAuthenticator.
Highlights Low cost per user with no user based licensing makes the FortiAuthenticator one of the
most cost effective solutions in the market
Standards-based secure authentication which works in conjunction with FortiTokens to deliver secure two-factor authentication to any third-party device capable of authentication via RADIUS or LDAP
Hardened Appliance which can be deployed in minutes to secure access to your network infrastructure
Integrates with existing solutions such as LDAP or AD servers to lower the cost and complexity of adding strong authentication to your network
Support for E-mail and SMS tokens enables rapid deployment of two-factor authentication without the need for additional dedicated hardware.
User Self Service Password reset lowers your costs by allowing your users to reset their own password without administrator intervention
Certificate Authority functionality simplifies your CA management and delivers user certificate signing, FortiGate VPN, or server x.509 certificates for use in certificate-based two-factor authentication
Upgrade path from FortiGate/FortiToken allows you to maximize your existing investment and scale your two-factor deployment when needed
AIRWATCH FOR MOBILE SECURITY
Mobile Device Management (MDM) software secures, monitors, manages, and supports, reports and alerts on smartphones deployed across your organization. The intent of MDM is to optimize the functionality, productivity and security of a mobile communications network, while minimizing cost and downtime.
The AirWatch service delivers a web-based, enterprise-grade mobile device and smartphone management solution that enables organizations to secure, monitor, manage and support all their mobile devices and their wireless infrastructure, while also successfully achieving compliance with all governmental regulations.
What this product offers is five phases of managing Smartphones and mobile devices
Deploy
activate devices using SMS, Email, URL and other flexible options enrol corporate and employee-liable devices individually or en masse instantly configure policies, settings, certificates and access to enterprise accounts over
the air Wirelessly provision internal and recommended apps through the enterprise app
catalogue.
Secure
ensure authorised and compliant devices have secured access to enterprise resources and accounts while preventing unauthorised device use by locking down device features and enforcing restrictions
protect personal and corporate data and the entire device through encryption and passcode policies
Automate business policies for non-compliant or jail broken devices.
Monitor
monitor both devices and network health status and statistics Track user activity, such as app downloads, voice, SMS and data usage against pre-
defined thresholds, white or black lists.
Manage
streamline and automate mobile asset and inventory management quickly and easily update and provision new policies, settings, certificates, apps, software and access to
enterprise accounts - over the air Push down apps, software or remote lock/wipe commands on-demand.
Support
perform device diagnostic tests remotely to identify issues provide remote assistance to mobile users and communicate from the console via SMS
messaging Take remote control of a device for more efficient troubleshooting.
Industry Accolades200+ awards, including:
Security Product of the Year Best Integrated Security Appliance Best UTM Best IPS solution Top Mid-market Solution 5 ICSA security certifications NSS recommended (FW, NGFW, IPS, ATP) and ISO 9001 certified
APPENDIX 2 – HARDWARE SELECTION
FIREWALL HARDWARE - DUBLIN OFFICE – 100D X 2Mid-Range Business Platform- FortiGate 100D - Rack mount Deployment Ideal for mid-range offices.Recommended for 50 to 100+ users
2x GE RJ45 WAN Ports 1x GE RJ45 DMZ Interface Port 1x GE RJ45 Mgmt. Interface Port 2x GE RJ45 HA Interface Port 14x GE RJ45 Switch Ports 2x Shared Media interfaces pairs
WIRELESS HARDWARE DUBLIN OFFICE - FORTIAP 221C X 4The FortiAP 221C is dual-radio, designed for medium density indoor environments, including hotspot and guest or social Wi-Fi deployments. The RP-SMA antenna connectors on the FortiAP 223C allow directional or panel antennas to be installed, providing a range of antenna options in environments with challenging coverage requirements. The FortiAP 221C is dual-radio 802.11ac APs and dual-band devices, supporting simultaneous client connections and rogue AP scanning for PCI compliance
WIRELESS HARDWARE – CORK OFFICE – 90D X 2Small Business Platform- FortiGate 90D - Desktop Deployment Ideal for Small officesRecommended for 20 to 50 users
2x GE RJ45 WAN Ports 14x GE RJ45 Switch Ports Standalone Pricing €2670 fully managed service
WIRELESS HARDWARE - CORK OFFICE - FORTIAP 24D X 2The FortiAP 24D is a cost-effective single radio 802.11n AP, designed for non-mission critical applications in low density indoor environments like small branch offices. The integrated switch-ports allow you to connect additional wired devices directly to the AP, such as PCs or printers.
ACCESS SWITCHES – DUBLIN AND CORK OFFICES – JUNIPER EX2200 (24 PORT)
We are recommending the Juniper EX3200 24 port model switches to be used as the required Access Switches in all offices. These switches support the key features required by the business and as called out in the System Architecture.
EX2200 switches provide:
Up to four uplink ports12 (compact, fanless model), 24, or 48 built-in network ports with 10/100/100BASE-T Gigabit Ethernet connectors.Virtual Chassis capability—you can connect up to four EX2200 switches (including EX2200-C switches) together to form one unit that you manage as a single chassis, called a Virtual Chassis, starting in Junos OS Release 12.2.Power over Ethernet (PoE or PoE+) on all network ports (in PoE-capable models)
DISTRIBUTION SWITCHES – DUBLIN AND CORK OFFICES – JUNIPER EX4200 (24 PORT)
We are recommending the Juniper EX4200 24 port model switches to be used as the required Distribution Switches in all offices. These switches support the key features required by the business and as called out in the System Architecture.
EX4200 switches include:
Dual redundant power supplies that are field-replaceable and hot-swappable. An optional additional connection to an external power source is also available.A field-replaceable fan tray with three fans. The switch remains operational if a single fan fails.Redundant Routing Engines in a Virtual Chassis configuration. This redundancy enables graceful Routing Engine switchover (GRES) and nonstop active routing (NSR).Junos OS with its modular design that enables failed system processes to gracefully restart.
EX4200 switches have these features:
Run under Junos OS for EX Series switchesHave options of 24-port and 48-port modelsHave options of full (all ports) PoE/PoE+ capability or partial (8 ports) PoE capabilityHave optional uplink modules that provide connection to distribution switches
Software – Dublin and Cork Two-Factor Authentication - FortiToken software x 100FTM-LIC-100Software one-time password tokens for iOS, Android and Windows Phone mobile devices. Perpetual licenses for 100 users. Electronic license certificate.
APPENDIX 3 – SOFTWARE SELECTION
MICROSOFT
Windows server 2012
Office 365, Exchange 2016
Skype for business
SAGE
Sage HR
Having a single established and widely used vendor provides consistency across HR and Payroll applications and reduces risk. (Sage.ie, 2016)
Sage HR Pros:
MS Office integration Sage Micropay Professional integration Manage employee information, documents and entitlements Manage training, performance appraisals and targets
Sage Payroll
Sage Payroll Pros:
Links to Sage Accounts and Sage HR Manage holiday entitlements, payments and deductions Fully manage payroll and taxes Backup and restore key data easily Link to online ROS submissions
Sage CRM Cloud Professional
Sage CRM Cloud Professional Pros:
Manage products and equipment Oversee key business projects Track competitors Track brand and company mentions Available on mobile (iOS and Android) Analyze sales campaigns
Sage Pay Online
Sage Pay Online Payments Pros:
Wide range of payment options Mail and Telephone payment support Accepts invoice payments directly through Sage Accounts Secure: Real-time AVS/CV2 checks and 3D Secure Authentication Free Support 24/7 Advanced fraud screening tools as standard
Sage 50 Accounts
Sage 50 Accounts Professional Pros:
Manage company finances Manage company products and services Overview of customer activity Manage Suppliers Manage stock Integrates with Sage Drive for cloud backups Provides requisite bank feeds
APPENDIX 4 – BUSINESS REQUIREMENTS
Business RequirementsReq. # Name DescriptionREQ001 Expand use of technology
Make common applications and platforms available to all staff on any device.
REQ002 Improve delivery of services Aid internal and external communication
REQ003
Strategic Alliance - Global Company
Open up possibility of strategic alliance with a global travel company.Make this achievable with a planned, secure network that can be opened globally.PolyCon - meeting facilities
REQ004
Network Connect the Retail Shops
Several retail shops around the City centre and main shopping centres
REQ005 MD Laptop Connectivity Maintain the MDs laptop as it has a modern Spec.REQ006 MD Data Transfer Remove the need for using CDs and Memory Sticks to transfer data.REQ007 Finance Manager Connectivity
Refresh the Finance Manager's dated desktop with a thin client terminal, connected to the Citrix XenDesktop server
REQ008
Finance Manager Security Concerns
Utilise the Fortinet Firewall, VPN, AV and Websense solution to allay security concerns.Utilise AirWatch for mobile security
REQ009 Finance Manager Cost Concerns
Provide the required security using cost effective means:Thin client architectureSingle Fortinet device in each of the Dublin and Cork Offices
REQ010 Accounts Desktops
Replace "dumb" terminals with thin client terminals, connected to the LAN and Citrix XenDesktop server.
REQ011 Accounts Software - Payroll
Replace local hosting for the payroll platform with a cloud based SAAS provider for cost, supportability and resiliency.Take information from HR about payroll to avoid rekeying information; ensure that HR have access to the cloud payroll solution also and that employees have one system on which to log time.
REQ012 Accounts Bank Access
Replace the local PC ISDN access with connectivity over the internet.Provision Bank Connectivity over SFTP for payroll files.
REQ013
Accounts Software - Client Accounts
Recommend use of another SAAS CRM software to allow access both from the company and for the customers to their accounts.Ensure Sales Team has access to enter the details directly into the CRM system also.Replace integration with the major airline systems - use of Airline APIs where possible.
REQ014 Sales desktops
Replace stand-alone PCs with thin client terminal, connected to the LAN and Citrix XenDesktop server.
REQ015 Sales laptops Replace laptops with up to date Win X machines.
REQ016 Sales tablets
Maintain the tablets, can be used for testing client access to the company website and client portal using Android and OS/X. Provide network connectivity wirelessly.
REQ017 Sales Manager PC
Replace stand-alone PC with thin client terminal, connected to the LAN and Citrix XenDesktop server.
REQ018 Sales Hot Desks
Provide stand-alone PCs with thin client terminal, connected to the LAN and Citrix XenDesktop server.
REQ019 Sales/Marketing Software
Provide latest Publisher via Office 365.Provide central source on the network for pricing that Sales staff can access directly to avoid calling in at 5:30pm daily.
REQ020 Company Website
Arrange for third party to provision a website and arrange hosting.Ensure this is a Content Management System (CMS) so that the company can update the requisite details themselves. It should also provide links to the Company's CRM web based solution for a seamless user experience for clients with accounts.Ensure it is set up for consistency across end-user devices and little to no code maintenance.
REQ021 Administration desktops
Replace stand-alone PCs with thin client terminal, connected to the LAN and Citrix XenDesktop server. Scrap Microsoft Windows for Workgroups as the software is deprecated and has a maintenance overhead without adding value.
REQ022 Administration ISDN
Remove the 4 line ISDN present for Administration, all clients will have requisite internet access provided via the ISP and controlled through the Active Directory setup and Fortinet firewall and Web Filter.
REQ023 Administration E-mail
Replace the current single Hotmail email account with individual accounts on MS Outlook (Office 365), hosted on the company's new Web Domain.Setup mailing groups or shared mailboxes for each department to avoid exchanging emails inter-department either by hand or through email.
REQ024 HR desktops
Provide thin client terminals for each HR staff member, connected to the LAN and Citrix XenDesktop server.
REQ025 HR Software
Provide SAAS software solution for Payroll, Time Recording and HRMS
REQ026 Network: LAN
Provide LAN access to all permanent on-site employees via new thin clients.Provide LAN access for Sales Hot Desks also via new thin clients.
REQ027 Network: WAN
Provide WAN access between the Dublin and Cork office, preferably extending the LAN and maintaining QoS
REQ028 Network: WAP
Provide requisite Wireless Access Points to allow all laptop and mobile devices effectively access the network
REQ029 Network: VPN Ensure presence of a VPN for remote login, and between offices.
REQ030 Network: Business Internet
Ensure adequate business (symmetric) internet is available to service the company needs and the new cloud based SAAS model for key software, along with VOIP and requisite QoS.
REQ031 Telecoms: VOIP
Arrange setup of a cloud based VOIP solution, with requisite QoS internally and externally. For fall back, maintain two physical telephone lines in Dublin and one in Cork and each satellite office to ensure calls can still be made and received.
REQ032 Server: Active Directory
Provide a new Active Directory Server for managing user access that will also manage the LAN shared file systems.
REQ033 Server: Shared File system
LAN shared file systems will be managed via the same server as hosting Active Directory.
REQ034 Server: Virtual Desktops
Provide a server to setup virtual desktops in a thin client architecture to achieve economies of scale as the company grows, to enable end-users access the same desktop regardless of where they are connecting from, and lowering the maintenance and replacement costs of physical hardware.
REQ035
Storage: Shared redundant storage
Ensure requisite redundant shared storage is in place and backups taken regularly to avoid any loss of key data
REQ036 Server: Backup server Ensure requisite backup servers are in place for Disaster Recovery.
APPENDIX 5 - STAR NETWORK EXPLANATION
In its simplest form, a star network consists of one central switch, hub or computer, which acts as a conduit to transmit messages. This consists of a central node where all other nodes are connected. The central node is a common connection point between other nodes via a hub or switch. The star topology reduces the damage caused by line failure by connecting all of the systems to a central node. When applied to a bus-based network, this central hub rebroadcasts all transmissions received from any peripheral node to all peripheral nodes on the network, sometimes including the originating node. All peripheral nodes may thus communicate with all others by transmitting to, and receiving from, the central node only. The failure of a transmission line linking any peripheral node to the central node will result in the isolation of that peripheral node from all others, but the rest of the systems will be unaffected.
Star networks are very reliable because if one computer or its connection breaks it doesn’t affect the other computers and their connections.
An expensive network layout to install because of the amount of cables needed. If the server crashes or stops working then no computers will be able to access the
network. If either HUB or switch fails, whole systems will crash as well.
Star Network, simple form
APPENDIX 6 – HARDWARE REQUIREMENTS
The following table is a preliminary list of the upgrade to Honeymoon Holidays IT Infrastructure. It is by no means complete and should not be taken as a final statement of the project requirements.
Laptop Required Mobile Required Printer/Canon RequiredManaging Director Dell Inspiron 5000 series 1 Samsung S6 1 MAXIFY MB2050 1Finance Manager Dell Inspiron 5000 series 1 Samsung S6 1 MAXIFY MB2050 1
HR Manager Dell Inspiron 5000 series 1 Samsung S6 1Clerks Wyse 3020 W/Thin OS +
Monitor and Keyboard. VOIP Enabled
2
Sales Manager/Cordinator Dell Inspiron 5000 series 1 Samsung S6 1Marketing Coordinator Dell Inspiron 5000 series 1 Samsung S6 1Sales team Wyse 3020 W/Thin OS +
Monitor and Keyboard. VOIP Enabled
25Samsung S6
25
Manager Dell Inspiron 5000 series 1Admin Staff Wyse 3020 W/Thin OS +
Monitor and Keyboard. VOIP Enabled
5
Staff Wyse 3020 W/Thin OS + Monitor and Keyboard. VOIP Enabled
5
Trainees Wyse 3020 W/Thin OS + Monitor and Keyboard. VOIP Enabled
6
Manager Dell Inspiron 5000 series 1 Samsung S6 1
Staff
Wyse 3020 W/Thin OS + Monitor and Keyboard. VOIP Enabled
10
Future room for expansion is enabled via Fortinet switches.
Cork Office
Proposed IT Hardware for Honeymoon Holidays
Accounts
Administration
Sales
HR
C3330i. Up to 30000 pager per month.
1
C3330i. Up to 30000 pager per month.
MAXIFY MB2050
MAXIFY MB2050 shared between the departments.
2
1
2
RequiredServers 6Switches 12Routers 4Modems 5Wiring N/A
Internet Connectivity Solution (Eircom, Vodafone, UPC, Imagine, etc
WAP FortiAP 221C - Dublin 4WAP FortiAP 24D - Cork 2? FortiClient 100 licence FortiAuthenticator - Dublin - all 1Firewall FortiGate-100D Firewall - Dublin 2Switch Juniper EX2200-24-T 12Switch Juniper EX4200-24PX-TAA 3Router Juniper MX5-T-AC 2Desktop HP Thin Client G9F08AA 22Payroll 1CRM 1Payments Sage Pay Online per payment 1Accounting 1POE
Hardware
Sage 50 Accounts ProfessionalCat6 cabling (price per 10 metres)
Backend Hardware
Networking Solutions
Sage MicroPay Professional (Unlimited Users)Sage CRM Cloud Professional (50 Users)
Symmetric (Business) DSL
Firewall configuration (Watchguard, Sonicwall etc)Installation of new data switch (8-port to 12 port)Apple-to-window networking (2 systems)DetailsEircom MPLS WAN with VPN and SIP support
Wireless Connectivity Solutions (e.g. re-configfuration of wireless router) Wireless Network Extension (excluding hardware)Setup and Configure of Network shares per PC or ServerSetup and Configure of network shares per Mac (Apple)
BIBLIOGRAPHY
REFERENCES
Anon, (2016). [online] Available at: http://www.hp.com/rnd/pdf_html/wirelessLANsite_assessment.html [Accessed 10 Apr. 2016].
Azure.microsoft.com. (2016). Microsoft Azure: Cloud Computing Platform and Services. [online] Available at: https://azure.microsoft.com/en-gb/? [Accessed 10 Apr. 2016].
Blog.buildingautomationmonthly.com. (2016). [online] Available at: http://blog.buildingautomationmonthly.com/wp-content/uploads/2013/05/OSI-Model.png [Accessed 9 Apr. 2016].
Citrix.com. (2016). Licensing Basics. [online] Available at: https://www.citrix.com/buy/licensing.html [Accessed 10 Apr. 2016].
Citrix.com. (2016). XenDesktop VDI Virtual Desktop Infrastructure. [online] Available at: https://www.citrix.com/products/xendesktop/overview.html [Accessed 10 Apr. 2016].
Fortinet.com. (2016). FortiGuard-Security-Services.pdf. [online] Available at: http://www.fortinet.com/sites/default/files/productdatasheets/FortiGuard-Security-Services.pdf [Accessed 6 Apr. 2016].
Sage.ie. (2016). Sage 50 Accounts Professional Detailed Information. [online] Available at: http://www.sage.ie/software-and-services/accounting-and-finance/sage-50-accounts-professional/detailed-information [Accessed 4 Apr. 2016].
Sage.ie. (2016). Sage HR: Software to simplify running human resources. [online] Available at: http://www.sage.ie/software-and-services/hr/sage-hr [Accessed 4 Apr. 2016].
Sage.ie. (2016). Sage Pay: Accept online payments securely and easily. [online] Available at: http://www.sage.ie/software-and-services/payments/sage-pay-online-payments [Accessed 4 Apr. 2016].
Shop.sage.ie. (2016). Sage CRM Cloud Professional | CRM Software | Sage Ireland Store. [online] Available at: https://shop.sage.ie/sage-crm-cloud-professional.aspx [Accessed 4 Apr. 2016].
Shop.sage.ie. (2016). Sage Micropay Professional | Payroll Software | Sage Ireland Store. [online] Available at: https://shop.sage.ie/micropay-professional.aspx [Accessed 4 Apr. 2016].
Vodafone.ie. (2016). One Net Express for Your Business | Vodafone Ireland. [online] Available at: http://www.vodafone.ie/small-business/phones-plans/one-net-express/?gclid=Cj0KEQjwoYi4BRDF_PHHu6rI7NMBEiQAKZ-JuFeGopAV3LE08XraJLhHPtx_frmo4mO7NmOzPEz17IEaAqUa8P8HAQ&gclsrc=aw.ds [Accessed 5 Apr. 2016].
YouTube. (2016). Cisco QoS: Design and Best Practices for Enterprise Networks. [online] Available at: https://www.youtube.com/watch?v=xePZcobaJUY [Accessed 9 Apr. 2016].
YouTube. (2016). Deploying MVRP Learning Byte. [online] Available at: https://www.youtube.com/watch?v=C-JkzYbGPBk [Accessed 4 Apr. 2016].